[PATCH v11 0/9] bpf: Add kfuncs for PKCS#7 signature verification

Roberto Sassu roberto.sassu at huawei.com
Tue Aug 16 07:12:32 UTC 2022


> From: Daniel Borkmann [mailto:daniel at iogearbox.net]
> Sent: Monday, August 15, 2022 6:10 PM
> On 8/12/22 12:18 PM, Roberto Sassu wrote:
> > One of the desirable features in security is the ability to restrict import
> > of data to a given system based on data authenticity. If data import can be
> > restricted, it would be possible to enforce a system-wide policy based on
> > the signing keys the system owner trusts.
> >
> [...]
> > Changelog
> >
> > v10:
> >   - Introduce key_lookup_flags_check() and system_keyring_id_check() inline
> >     functions to check parameters (suggested by KP)
> >   - Fix descriptions and comment of key-related kfuncs (suggested by KP)
> >   - Register kfunc set only once (suggested by Alexei)
> >   - Move needed kernel options to the architecture-independent configuration
> >     for testing
> 
> Looks like from BPF CI side, the selftest throws a WARN in test_progs /
> test_progs-no_alu32
> and subsequently fails with error, ptal:
> 
>    https://github.com/kernel-
> patches/bpf/runs/7804422038?check_suite_focus=true

Hi Daniel

it is due to the missing SHA256 kernel module (not copied to
the virtual machine).

I made a small patch in libbpf/ci to change kernel options =m
into =y. With that patch, my instance of vmtest gives success
(except for z15, which requires adding openssl and keyctl
to the virtual machine image).

Roberto

>    [...]
>    #235     verif_scale_xdp_loop:OK
>    #236     verif_stats:OK
>    #237     verif_twfw:OK
>    [  760.448652] ------------[ cut here ]------------
>    [  760.449506] WARNING: CPU: 3 PID: 930 at crypto/rsa-pkcs1pad.c:544
> pkcs1pad_verify+0x184/0x190
>    [  760.450806] Modules linked in: bpf_testmod(OE) [last unloaded:
> bpf_testmod]
>    [  760.452340] CPU: 3 PID: 930 Comm: keyctl Tainted: G           OE      5.19.0-
> g9f0260338e31-dirty #1
>    [  760.453626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
>    [  760.454801] RIP: 0010:pkcs1pad_verify+0x184/0x190
>    [  760.455380] Code: 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df 89 c6 5b 41
> 5c 41 5d 41 5e 41 5f 5d e9 a5 04 00 00 0f 0b b8 ea ff ff ff eb d4 <0f> 0b b8 ea ff
> ff ff eb cb 0f 0b 90 0f 1f 44 00 00 53 48 89 fb c7
>    [  760.456866] RSP: 0018:ffffad55478dbb58 EFLAGS: 00000246
>    [  760.457684] RAX: ffff9b3c43c42458 RBX: ffff9b3c48975b00 RCX:
> 0000000000000000
>    [  760.458672] RDX: ffffffffa7277438 RSI: ffffffffa5275510 RDI:
> 0000000000000000
>    [  760.459670] RBP: ffffad55478dbcf8 R08: 0000000000000002 R09:
> 0000000000000000
>    [  760.460688] R10: ffffad55478dbc20 R11: ffffffffa44dde10 R12:
> ffff9b3c43de2e80
>    [  760.461695] R13: ffff9b3c58459ea0 R14: ffff9b3c44d59600 R15:
> ffffad55478dbc20
>    [  760.462270] FS:  00007ff1ee0eb740(0000) GS:ffff9b3cf9cc0000(0000)
> knlGS:0000000000000000
>    [  760.462722] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>    [  760.463026] CR2: 000055b9a4c17588 CR3: 0000000107bb2000 CR4:
> 00000000000006e0
>    [  760.464039] Call Trace:
>    [  760.464465]  <TASK>
>    [  760.464749]  public_key_verify_signature+0x4a2/0x570
>    [  760.465623]  x509_check_for_self_signed+0x4e/0xd0
>    [  760.465937]  x509_cert_parse+0x193/0x220
>    [  760.466656]  x509_key_preparse+0x20/0x1f0
>    [  760.466975]  asymmetric_key_preparse+0x43/0x80
>    [  760.467552]  key_create_or_update+0x24e/0x510
>    [  760.468366]  __x64_sys_add_key+0x19b/0x220
>    [  760.468704]  ? syscall_enter_from_user_mode+0x24/0x1f0
>    [  760.469056]  do_syscall_64+0x43/0x90
>    [  760.469657]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>    [  760.470413] RIP: 0033:0x7ff1edf0ba9d
>    [  760.470832] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8
> 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 8b 0d cb e2 0e 00 f7 d8 64 89 01 48
>    [  760.472742] RSP: 002b:00007ffe635e7a18 EFLAGS: 00000246 ORIG_RAX:
> 00000000000000f8
>    [  760.473355] RAX: ffffffffffffffda RBX: 00007ffe635e7be0 RCX:
> 00007ff1edf0ba9d
>    [  760.474523] RDX: 000055982fed80c0 RSI: 00007ffe635e7f17 RDI:
> 00007ffe635e7f0c
>    [  760.475500] RBP: 00007ffe635e7a38 R08: 00000000fffffffd R09:
> 0000000000000000
>    [  760.475913] R10: 0000000000000355 R11: 0000000000000246 R12:
> 0000000000000000
>    [  760.476594] R13: 00007ffe635e7bd8 R14: 000055982fed48ae R15:
> 000055982fed76e8
>    [  760.477579]  </TASK>
>    [  760.477769] irq event stamp: 4727
>    [  760.477963] hardirqs last  enabled at (4735): [<ffffffffa4101df5>]
> __up_console_sem+0x75/0xa0
>    [  760.479036] hardirqs last disabled at (4744): [<ffffffffa4a31cca>]
> sysvec_apic_timer_interrupt+0xa/0xb0
>    [  760.480403] softirqs last  enabled at (4762): [<ffffffffa4085172>]
> __irq_exit_rcu+0xb2/0x140
>    [  760.480869] softirqs last disabled at (4755): [<ffffffffa4085172>]
> __irq_exit_rcu+0xb2/0x140
>    [  760.481706] ---[ end trace 0000000000000000 ]---
>    Generating a RSA private key
>    .+++++
>    ..................................................+++++
>    writing new private key to '/tmp/verify_sigXdOL5V/signing_key.pem'
>    -----
>    add_key: Invalid argument
>    test_verify_pkcs7_sig:PASS:mkdtemp 0 nsec
>    test_verify_pkcs7_sig:FAIL:_run_setup_process unexpected error: 1 (errno
> 126)
>    #238     verify_pkcs7_sig:FAIL
>    #239     vmlinux:OK
>    #240     xdp:OK
>    #241/1   xdp_adjust_frags/xdp_adjust_frags:OK
>    #241     xdp_adjust_frags:OK
>    #242/1   xdp_adjust_tail/xdp_adjust_tail_shrink:OK
>    #242/2   xdp_adjust_tail/xdp_adjust_tail_grow:OK
>    [...]


More information about the Linux-security-module-archive mailing list